3 Replies Latest reply on Nov 13, 2013 1:58 PM by vimalnavis

    HDLP - can you use ePO tags for  HDLP policy assignment?




      In HDLP 9.3,  and on a fresh ePO 4.6.6, I use computer assignment groups currently for HDLP policy. 


      I thought I might want to  make certain "exception" hosts get a different HDLP policy / mass storage rules  by putting an ePO tag on them.    For instance, imagine a host where you don't want any HDLP device control blocking used for whatever reason, and tag it as NoDeviceControl


      I'm gathering that perhaps I've gone a big tag mad .. and it doesn't seem that policies can be influenced by ePO tags, only tasks?   Is that correct?    Are my choices therefore, for different HDLP policy for a given computer... to use either a)  an ePO subgroup to break inheritance on the HDLP computer assignment group  and choose a separate HDLP ePO policy at that level,  or b) into leveraging user assignment somehow to define an exception list in AD with in the device rules inside the DLP Policy editor?


      Thanks in advane for any advice as I try to flatten the ePO hierarchy and take more advantage of tagging.

        • 1. Re: HDLP - can you use ePO tags for  HDLP policy assignment?

          Any reason you are using Computer Assignment instead of User Assignment?

          • 2. Re: HDLP - can you use ePO tags for  HDLP policy assignment?

            This environment's history has been pretty workstation centric, and there's an enforcement of a user to workstation notion. 


            And the last time I tried using an AD security group to specify dlp exceptions per user, it totally didn't work at all.  

            • 3. Re: HDLP - can you use ePO tags for  HDLP policy assignment?

              To your original question, DLPe does not support Policy Assignment Rules. You will need to use the sub group/break inheritence method. You could still use tags and server tasks to move systems to a specific group and then assign a Computer Based Assignment policy just to that group.


              Why would you exclude certain machines and create a security gap?

              Unless there is a need to use Computer Based Assignment you would want to use User Based. The reasoning is that unlike a Anti-Malware product that does not care about a user's role, Data ties directly to a user's role.

              You would want to get used to the User Based Assignments if at some point later you will be using Content Rules.

              I have never faced issues with excluding users part of a AD Security Group. Distribution Groups do not have a SID associated with them and will not work.